This is the complete filename of server private key used for TLS negotiation with the clients and nufw servers.
Default: nuauth_tls_key="CONFIGDIR/nuauth-key.pem"
Put here the password for private key.
Default: nuauth_tls_key_passwd="passwd"
This variable is the complete path to server certificate.
Default: nuauth_tls_cert="/etc/nufw/nuauth-cert.pem"
The complete path to the certificate authority file.
Default: nuauth_tls_cacert="/etc/nufw/NuFW-cacert.pem"
The complete filename of the authority certificate revocation list.
The default is none.
This variable if set to 1 ask clients to send certificate.
If it is set to 2, then the client has to show a valid certificate.
Default: nuauth_tls_request_cert=0
This variable if set to 1 adds the capability to authenticate the client based on name provided in certificate. The authentication can failed if there is no group corresponding to the given user name.
If set to 2, then per-certificate authentication is mandatory.
Default: nuauth_tls_auth_by_cert=0
Set nufw_has_conntrack to 1 if nufw is able to modify conntrack entry.
This requires a kernel release superior to 2.6.14 on nufw side.
Set nufw_has_conntrack to 1 if nufw is able to give a fixed timeout to a conntrack entry.
This requires at least kernel release superior to 2.6.14 on nufw side.
The syntax is the following: Each option that set up the use of a hook is a list of modules separated by space.
For each module type, the syntax is the following:
name[:type[:config file]]
If syntax is :
name: load module "name" with config file included in nuauth.conf
name:type: load module "type" with config file CONFIG_DIR/modules/name.conf
name:type:conf: load module "type" with config file "conf"
This variable is used by nuauth to choose the authentication module for user. It has to be chosen in :
plaintext : user credentials are stored in a text file
system : authentication is done against PAM. This provides a convenient way to use pam-modules.
Default: nuauth_user_check_module="libdbm"
This variable is used by nuauth to choose the id fetching module for user. It has to be chosen in:
plaintext: user ids are stored in a text file
system: This provides a convenient way to use PAM features.
Default: nuauth_user_id_module="system"
This variable is used by nuauth to choose the module used to fetch user groups. It has to be chosen in :
plaintext: user grous are stored in a text file
system: groups are system groups retrieved via NSS. This provides a convenient way to use nss features.
Default: nuauth_user_id_module="system"
Choose here the acl checking module. It has to be choozen in :
libldap: Acls are stored on an LDAP tree whith a specific schema. This module enables dynamic acls and network administration of them.
plaintext: This module stores acls in a plain text file. This is easy to manage for small rules set, but nuauth has to be restarted to have modification to the file taken into account.
Default: nuauth_acl_check_module="libplaintext"
A fallback authentication module can be used to employ other authentication methods. Currently, only an ident based module is available.
Default: nuauth_ip_authentication_module="libipauthident"
User activities logging method is done via a module. It can be choose between syslog and SQL modules. Only SQL modules permit to evolve to a SSO system. Acceptable values for this parameter are :
mysql
pgsql
syslog
nuprelude
Default: nuauth_user_logs_module="syslog"
This define the method to use for user connection and disconnection logging. The available modules are :
syslog
script : run a custom script at user connection (CONFDIR/user-up.sh) and disconnection (CONFDIR/user-down.sh)
mysql
nuprelude
Default: nuauth_user_session_logs_module="syslog"
These modules check client certificate and issue verdict on validity.
It is recommanded to keep x509_std as first module as it is
usually wanted checks.
Default: nuauth_certificate_check_module="x509_std"
These modules get username from client certificate.
Currently, there is only on provided module: x509_std.
Default: nuauth_certificate_to_uid_module="x509_std"
These modules define a set of periods that can be used in acl to check packet against the given period
of time. Currently only xml_defs is available. It stores period definition in a XML file.
Default: nuauth_periods_module="xml_defs"
These modules provides a hook
which can be used to modify a user session just after its creation.
It is useful in the case of you want to modify property like expiration date of the session.
Currently only libsession_expire is available. It modify session expiration to force user to reconnect after
a given time.
Default: nuauth_user_session_modify_module="libsession_expire"
These modules provides a hook which can be used to modify a packet before decision and related informations are sent to the nufw server. It is useful in the case of you want to modify the mark to setup QoS.
mark_group: set mark depending on user groups.
mark_uid: use next 16 bits of the mark to put the userid.
mark_field: set mark depending on application name or OS name.
mark_flag: use first 16 bit of the mark to put mark given by acl.
Default: nuauth_finalize_packet_module="mark_uid"
These modules provides a way to log
user authentication failure. For now, the only available modules
are nuprelude and syslog.
Default: nuauth_auth_error_log_module=""
If set to 1, nuauth starts a server which wait to connection on a unix socket. The script in scripts/nuauth_command/ can be used to interact with some aspects of nuauth. Basically, it provides the ability to list and destroy users sessions or to change debug level.
Default: nuauth_use_command_server=1
What to do when several groups user is member of disagree about access rights
Default: nuauth_prio_to_nok=1
Client can work with two modes :
POLL : client check each time interval if it need to send a packet (traffic economy for WAN)
PUSH : nuauth warn client that they may need to send authentication packet (better response time on LAN)
Default: nuauth_push_to_client=1
This is used to choose the user connection policy :
0 : no login restriction (default)
1 : one login per user
2 : one login per ip and per user
Reject via ICMP message (instead of simply drop) when packet timeout is reached.
Default: nuauth_reject_after_timeout=0
Reject via ICMP message (instead of simply drop) when user in not authorized by nuauth to send packets.
Default: nuauth_reject_authenticated_drop=0
This is a fallback hello authentication mode for non NuFW supported protocols. This brings authentication for all protocols based on IP by doing a posteriori IP based authentication.
Default: nuauth_hello_authentication=0
This authentication is FAR less strict than nufw original protocol :
It authenticates NATed computer (and every computers behind the same firewall)
It is strictly MONO user
But, it can authenticate all type of IP flows
Do we use fallback mode when no client are found[1] ?
Default: nuauth_do_ip_authentication=1
This option if set to a non null value causes nuauth to close a user session after the specified time. The user client has then to reconnect (transparently or not). This permit for example to disconnect users when their account has been cancelled.
Disconnection occurs when nuauth has to authenticate a packet coming from the source IP of the connection
Default: nuauth_session_duration=0
This is the time in second to keep packet in the nuauth internal connection tracking.
Default: nuauth_packet_timeout=15
This set the timeout for protocol announce from client. If some of your client (post 2.0 version) receives a "bad protocol messsage", you may want to increase this value. This is a workaround against very laggy network.
Default: nuauth_proto_wait_delay=2
A cache is implemented for acl (and/or user) datas. It permits to speed thing up by decreasing the number of request to external system. This variable set the datas persistence in cache (in second).
Default: nuauth_datas_persistance=300
This option set the delay after which a authentication failed and it forcibly interrupt.
Default: nuauth_auth_nego_timeout=30
A pool of threads is used to work on client authentication. This variable set the number of threads used for this task.
Default: nuauth_number_usercheckers=5
A pool of threads is used to do acl checking against external authority and to treat gateway request. This variable set the number of threads to work on gateway requests.
Default: nuauth_number_aclcheckers=5
A pool of threads is used to do logging. You may need to adjust it to the capability of the database server.
Default: nuauth_number_loggers=3
A pool of threads is used to do user connection logging. You may need to adjust it to the capability of the database server.
Default: nuauth_number_session_loggers=3
A pool of threads is used to do TLS and SASL negotiation with users. This set the number of threads used for this task.
Default: nuauth_number_authcheckers=5
This set the number of threads working for ip authentication.
Default: nuauth_number_ipauthcheckers=5
This set the maximum number of a simultaneously connected nufw authentication clients.
Default: nuauth_tls_max_clients=256
This set the maximum number of simultaneously connected nufw servers.
Default: nuauth_tls_max_servers=8
This variable decide the level of verbosity of user activities logging. The log level is the sum of values :
0: no log at all
1: log new user (in syslog)
2: log rejected packets
4: log accepted packets
8: do complete session tracking [2]
Default: nuauth_log_users=0
This controls whether the users logging is absolutely safe. The access is logged before granted.
Default: nuauth_log_users_sync=1
This controls whether the debug_level of nuauth.
Default: nuauth_debug_level=0
This controls whether the debug areas of nuauth. It is computed by doing a binary end (or addition) on the following value :
DEBUG_AREA_MAIN (1) main domain
DEBUG_AREA_PACKET (2) packet domain
DEBUG_AREA_USER (4) user domain
DEBUG_AREA_GW (8) Gateway domain, interaction wit nufw servers.
DEBUG_AREA_AUTH (16) Authentication domain
Default: nuauth_debug_level=31
This option if set to 1 causes nuauth to do an update of log entries
of database to avoid accidental double connections before inserting new connection.
Default: nuauth_log_users_strict=1
This option if set to 1 causes nuauth to remove the realm from the
username before logging.
Default: nuauth_log_users_without_realm=1
| [1] | When no client is known on the IP from which a packet is coming the fallback method is used. |
| [2] | complete session tracking need special iptables rules, described in documentation |